Australians' private government details at mercy of hackers, say IT security experts

Ben Grubb and Noel Towell

The private records of millions of Australians – including their doctor visits, prescription drugs, childcare and welfare payments – are at the mercy of cyber criminals because of flimsy IT security around a critical federal government website, IT security experts warn.

And they say the risk will increase from the middle of the year, when the government will make it compulsory for Australians to use the my.gov.au website to lodge their electronic tax returns, potentially also exposing their financial and banking records to hackers.

Microsoft reveals new touchscreen computer and 3D software

Government website security not up to scratch

Private records of doctor visits, prescription drugs, childcare and welfare payments are at the mercy of cyber criminals because of flimsy IT security.

The myGov site is used by 2.5 million Australians to access their Centrelink, Medicare, Child Support, Department of Veteran Affairs, e-health, and NDIS government accounts. If users link their different accounts, information accessible includes their name, date of birth, phone numbers, email address, Medicare number, child immunisation records, dates of doctor visits and drugs prescribed, welfare and childcare reimbursement payments.

But Sydney software architect and IT security consultant Troy Hunt said the controls used to protect the site were "insufficient" and "irresponsible" and considerably weaker than many other large websites such as Google, Twitter and note-taking app Evernote.

Some of the information accessible via my.gov.au when linking it to Medicare.

He called on the government to introduce "two-factor authentication" to better protect the sensitive information. The process is commonly used by banks and other sites, requiring users to put in a token, or code, sent to their mobile phone before they are allowed access to their account.

"I'm surprised and concerned that the security controls protecting my medical [and tax] records are less than those protecting my recipes stored in Evernote," Mr Hunt said. "I think given the class of information they're protecting I'd call it irresponsible simply because I expect two-factor authentication for information that is much less valuable."

Advertisement

Ty Miller, director of Sydney IT security firm Threat Intelligence, is concerned that the password requirements of myGov are "weak". The site only requires passwords to be seven characters long and include at least one number, meaning people would not be stopped from using the highly insecure "password1" and similar common words.

Fairfax Media has confirmed the Tax Office will announce next month that taxpayers must sign up to myGov to complete their electronic tax returns. More than a million people lodged their tax this way last year.

E-health records, including prescription drugs, are also accesible using my.gov.au.

Taxpayers Australia spokesman Mark Chapman said he supported the move to myGov in principle but was worried about the lack of reassurance that taxpayers' data would be safe.

"We need reassurance from the myGov [software] developers that taxpayers' information will be fully secure and in particular we are very concerned about the username facility, which seems to make it too easy for third parties to find out your myGov identity by stealing the written record of your username, which all taxpayers will need to keep," he said.

Access to the portal requires just a user name, password and one security question to be answered. The user name is randomly generated, but Mr Hunt says this could be easily uncovered by criminals if they gained access to users' email. If weak secret questions were used, hackers could easily access accounts by guessing answers, Mr Hunt warned. This happened in 2008 when US politician Sarah Palin had her email hacked after her security questions – such as which high school she attended – were deduced.

The Department of Human Services, which runs myGov, said it was confident all users' personal information and records were "in very safe hands". "We closely monitor the use of myGov, to ensure that the security of the system is maintained. As technology evolves the department will continue to ensure the service meets community security expectations," said its general manager, Hank Jongen.